The Norwegian Supervisory Authority (Datatilsynet) has imposed an administrative fine of 1.6 million Norwegian kroner, or the equivalent of 170.000 €, on the Municipality of Bergen.
The incident relates to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer system. The user accounts related to both pupils in the municipality’s primary schools, and to the employees of the same schools. Due to insufficient security measures, these files have been unprotected and openly accessible. The lack of security measures in the system made it possible for anyone to log in to the school’s various information systems, and thereby to access various categories of personal data relating to the pupils and employees of the schools.